Re: Ringbuf pcap reading and "bogus savefile header" error

[Guy Harris <guy () alum mit edu>]

On Dec 6, 2016, at 10:12 PM, Tugrul Erdogan <h.tugrul.erdogan () gmail com> wrote:

> There is a pcap file which stores last X seconds of packets. And with each
> X seconds of a period, a new pcap file is created.
>
> I can successfully read the initial pcap file for X seconds with "tail -n+o
> -F <filename> | tcpdump -r - -nn".


To quote the Linux man page for tail:

        -n, --lines=K
output the last K lines, instead of the last 10; or use -n +K to output lines starting with the Kth

The word "lines" appears in that text.

Pcap files do not have lines, so any program that processes a pcap file as if it had lines in it will almost certainly 
do something wrong with the file.

        tail -n+o

or, if this is what you really meant:

        tail -n+0

processes the file it's reading as if it has lines in it, so it will almost certainly do something wrong with the file

You could *try* doing

        tail -F <filename> | tcpdump -r - -nn

but I'm not sure even *that* is guaranteed to treat the file as if it were a binary file - which is exactly what a pcap 
file is.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers